Nexus of Metrics: Oil and Gas Survey Results

Concerns about how a cyberattack on critical infrastructure could affect the United States are nothing new.

We even have Ted Koppel illuminating the risk to the electric grid in a new book called “Lights Out.” But even with all the attention on the subject, it can be hard to really measure the existing risk.

One of the most misleading ways to measure risk is to produce an ‘attack count’ metric. It’s a popular measure because it’s intuitive for the general public, but defining what counts as an attack in this context is tricky at best.

The conclusions can be influenced by whether you include every portscan or only clearly identified attack signatures. And neither of these definitions include zero-day attacks, which are by definition not detected (lest they cease to be zero-days).

All of this adds up to the need for more information on what the risk to critical infrastructure really looks like. At Tripwire, we often conduct surveys of industry professionals to gain insight into the risk and issues in a particular market.

We’ve looked at critical infrastructure before, specifically energy. The electric grid is a hot topic, as evidenced by Mr. Koppel’s foray into the subject. There is, however, another area of critical infrastructure that needs attention: Oil & Gas.

There are more than 2.3 million miles of pipeline in the United States, connected to a variety of businesses, including refineries and airports. There’s also a vast industry of supporting organizations around oil and gas production and distribution. Frankly, the oil and gas industry deserves just as much attention on the cybersecurity front as the electric grid.

I tend to think of these three metrics as sampling from a continuum, identifying performance or state from outside to inside. The rate of cyberattacks gives us awareness of the overall threat environment. This is the raw, is-it-getting-better-or-worse metric. From the results, we can clearly say that it’s getting worse.

The ‘successful cyberattacks’ metric identifies the most important measurable subset of the previous metric, i.e. of all those attacks, some are successful; is that getting better or worse. Again, it’s getting worse.

Finally, we sample how the defenders perceive their ability to detect attacks. This closes the loop by concluding that while the threat environment is worsening, our ability to detect and respond is not keeping pace.

In other words, attacks on the oil and gas sector are increasing in volume, in success and we’re unable to detect them.

The question at the end of any data analysis is what to do about it. Is there behavior that we should change as a result?

There are three metrics and three areas of response here:

1. Reduce the number of total attacks.

Reducing the total number of attacks is, essentially, an action that takes place in the external threat environment. As an industry, we can make oil and gas companies a less attractive target. We can eliminate threat actors; we can reduce the overall attack surface.

Most of these steps require more geopolitical players than internal actions but they’re worth putting on the table. Reducing the overall attack surface is actionable by oil and gas companies. If you reduce your presence on the Internet, you reduce the number of attacks that are possible.

2. Reduce the percentage of attacks that are successful.

This is, simply, the instantiation of common best practices in attack prevention. You can include in this category any action around hardening configurations, improving the ability to find and patch vulnerabilities, ensuring least privilege access is enforced, and other basic security controls.

These are often brushed aside as simply steps but they’re often overlooked or exhibit risk in ‘exceptions.’ All of the industrial control industries have some specific challenges with some of these best practices, but they do work.

3. Increase the number of successful attacks that can be detected.

It’s unrealistic to believe that 100% of the threats can be eliminated, so there’s always a need for accurate detection of successful attacks. Again, there are some best practices here that present specific challenges with industrial control systems.

There are also ways in which an ICS-centric environment is actually more defensible than corporate IT. Oil and Gas companies should look at how they can detect anomalous activity or unauthorized changes in their control environments in order to improve this metric.

If you want to see the complete results of our survey, they’re available here.